Krebs on Security

In-depth security news and investigation

Posts Tagged: POSeidon

For the second time in the past nine months, Google has inadvertently but nonetheless correctly helped to identify the source of a large credit card breach — by assigning a “This site may be hacked” warning beneath the search results for the Web site of a victimized merchant.

A little over a month ago, KrebsOnSecurity was contacted by multiple financial institutions whose anti-fraud teams were trying to trace the source of a great deal of fraud on cards that were all used at a handful of high-end restaurants around the country.

Two of those fraud teams shared a list of restaurants that all affected cardholders had visited recently. A bit of searching online showed that nearly all of those establishments were run by Select Restaurants Inc., a Cleveland, Ohio company that owns a number of well-known eateries nationwide, including Boston’s Top of the Hub; Parker’s Lighthouse in Long Beach, Calif.; the Rusty Scupper in Baltimore, Md.; Parkers Blue Ash Tavern in Cincinnati, Ohio; Parkers’ Restaurant & Bar in Downers Grove, Illinois; Winberie’s Restaurant & Bar with locations in Oak Park, Illinois and Princeton and Summit, New Jersey; and Black Powder Tavern in Valley Forge, PA.

Google’s search listing for Select Restaurants, which indicates Google thinks this site may be hacked.

Knowing very little about this company at the time, I ran a Google search for it and noticed that Google believes the site may be hacked (it still carries this message). This generally means some portion of the site was compromised by scammers who are trying to abuse the site’s search engine rankings to beef up the rankings for “spammy” sites — such as those peddling counterfeit prescription drugs and designer handbags.

The “This site may be hacked” advisory is not quite as dire as Google’s “This site may harm your computer” warning — the latter usually means the site is actively trying to foist malware on the visitor’s computer. But in my experience it’s never a good sign when a business that accepts credit cards has one of these warnings attached to its search engine results.

Case in point: I experienced this exact scenario last summer as I was reporting out the details on the breach at CiCi’s Pizza chain. In researching that story, all signs were pointing to a point-of-sale (POS) terminal provider called Datapoint POS. Just like it did with Select Restaurants’s site, Google reported that Datapoint’s site appeared to be hacked.

Google believed Datapoint’s Web site was hacked.

Select Restaurants did not return messages seeking comment. But as with the breach at Cici’s Pizza chains, the breach involving Select Restaurant locations mentioned above appears to have been the result of an intrusion at the company’s POS vendor — Geneva, Ill. based 24×7 Hospitality Technology. 24×7 handles credit and debit card transactions for thousands of hotels and restaurants.

On Feb. 14, 24×7 Hospitality sent a letter to customers warning that its systems recently were hacked by a “sophisticated network intrusion through a remote access application.” Translation: Someone guessed or phished the password that we use to remotely administer point-of-sale systems at its customer locations. 24×7 said the attackers subsequently executed the PoSeidon malware variant, which is designed to siphon card data when cashiers swipe credit cards at an infected cash register (for more on PoSeidon, check out POS Providers Feel Brunt of PoSeidon Malware).

KrebsOnSecurity obtained a copy of the letter (PDF) that 24×7 Hospitality CEO Todd Baker, Jr. sent to Select Restaurants. That missive said even though the intruders apparently had access to all of 24×7 customers’ payment systems, not all of those systems were logged into by the hackers. Alas, this was probably little consolation for Select Restaurants, because the letter then goes on to say that the breach involves all of the restaurants listed on Select’s Web site, and that the breach appears to have extended from late October 2016 to mid-January 2017. Continue reading →

“PoSeidon,” a new strain of malicious software designed to steal credit and debit card data from hacked point-of-sale (POS) devices, has been implicated in a number of recent breaches involving companies that provide POS services primarily to restaurants, bars and hotels. The shift by the card thieves away from targeting major retailers like Target and Home Depot to attacking countless, smaller users of POS systems is giving financial institutions a run for their money as they struggle to figure out which merchants are responsible for card fraud.

Image: Cisco.

One basic tool that banks use to learn the source of card data theft involves determining a “common point-of-purchase” (CPP) among a given set of customer cards that experience fraud. When a new batch of cards goes on sale at an online crime shop, banks will often purchase a very small number of their stolen cards to determine if the victim customers all shopped at the same merchant across a specific time period.

This same CPP analysis was critical to banks helping this reporter identify some of the biggest retail breaches on record in recent years, and it is a method heavily relied upon by law enforcement agencies to identify breach victims.

But the CPP approach usually falls flat if all of the cards purchased from the fraud shop fail to reveal a common merchant. More seasoned fraud shops have sought to achieve this confusion and confound investigators by “making sausage” — i.e., methodically mixing cards stolen from multiple victims into any single new batch of stolen cards that they offer for sale.

Increasingly, however, fraudsters selling stolen cards don’t need to make sausage: The victims that are leaking card data are already subsets of restaurant franchises or retail establishments whose only commonality is the branded point-of-sale device which they rely upon to process customer card transactions.

NEXTEP

Card breaches involving POS devices sold by the same vendor are notoriously hard for financial institutions to diagnose because the banks very often have a direct relationship with neither the POS vendor nor the breached restaurant or bar whose customers’ cards were stolen.

What’s more, POS-specific breaches frequently tie back to a subset of customers of a POS vendor who in turn rely on local IT company to install and support the POS systems. The commonality among breached restaurants and bars tends to be those who have relied on a support firm that invariably enables remote access to the POS systems via tools like pcAnywhere or LogMeIn using the same or easily-guessed username and password across many customer systems. Once remotely authenticated to the targeted systems, thieves can upload malware like POSeidon, which is capable of capturing all card data processed by the victim POS.

A few weeks ago, this reporter broke the news that multiple systems run by POS vendor NEXTEP had experienced a breach. The banks were only able to pinpoint NEXTEP systems as the source because the overwhelming number of merchants impacted in that breached happened to be NEXTEP customers who also were part of the Zoup chain of soup restaurants.

“You may have seen the discussions of the ‘PoSeidon’ malware that specifically targeted point of sale systems,” NEXTEP CEO Tommy Woycik said in a follow-up email. “Within thirty-six hours of the point that we learned of the problem we were able to internally use our resources to block further data compromise with most of our customers. We retained and worked with two different sets of consultants to fix all remaining problems and to evaluate, on an ongoing basis, the effectiveness of the fixes.”

Woycik said the company also is investigating why the vast majority of its customers had no compromise of information, but that the hack was limited to a few identified locations. Part of the problem was that some of the breached locations relied on point-of-sale management firms that refused to cooperate in the investigation.

“We have been somewhat hampered in our investigation because some parties involved in the locations that we believe may have been affected have been unwilling to provide us with critical data,” he said.